Try   HackMD

File: https://mega.nz/#!zEAU1AQL!oWJ63n-D6lCuCQ4AY0Cv_405hX8kn7MEsa1iLH5UjKU
Passphrase: CrDj"(;Va.*NdlnzB9M?@K2)#>deB7mN
Complaints/cits: to jvn @ dustri.org
Browsable dir: https://github.com/x0rz/EQGRP

  • COTTONAXE
  • STOICSURGEON
  • INCISION
  • ITIME
  • *dffff
  • ELDESTMYDLE
  • SUAVEEYEFUL
  • WATCHER
  • YELLOWSPIRIT

Misc

  • **FUCK YEAH
  • (HIDELIGHT)** unhide NOPEN window to run unix oracle db scripts
  • DUL shellcode packer
  • egg_timer execution delayer (equivalent to at)
  • ewok snmpwalk-like?
  • gr Web crontab manager? wtf. NSA are webscale dude
  • jackladderhelper simple port binder
  • magicjack DES implementation in Perl
  • ri equivalent to rpcinfo
  • uX_local Micro X server, likely for remote management

Remote Code Execution

Solaris

  • EVENLESSON - Exploit for OpenSSL 0.9.6d x86 and earlier
  • CATFLAP Solaris 7/8/9 (SPARC and Intel) RCE (for a LOT of versions)
  • EASYSTREET/
  • EBBISLAND/ELVISCICADA/snmpXdmid and frown: CVE-2001-0236, Solaris 2.6-2.9 - snmpXdmid Buffer Overflow
  • sneer: mibissa (Sun snmpd) RCE, with DWARF symbols :D
  • dtspcdx_sparc dtspcd RCE for SunOS 5. -5.8. what a useless exploit
  • TOOLTALK DEC, IRIX, or Sol2.6 or earlier Tooltalk buffer overflow RCE
  • VIOLENTSPIRIT RCE for ttsession daemon in CDE on Solaris 2.6-2.9 on SPARC and x86

Netscape Server

  • xp_ns-httpd NetScape Server RCE
  • nsent RCE for NetScape Enterprise server 4.1 for Solaris
  • eggbasket RCE for Netscape Enterprise/3.6 & 3.6 SP1, solaris 2.6-2.9

FTP servers

  • EE proftpd 1.2.8 RCE, for RHL 7.3+/Linux, CVE-2011-4130? another reason not to use proftpd
  • wuftpd likely CVE-2001-0550

Web

  • ESMARKCONANT exploits phpBB vulnerability (<2.0.11): CVE-2005-2086
  • ELIDESKEW Public known vulnerablity in SquirrelMail versions 1.4.0 - 1.4.7: likely CVE-2006-4019
  • ELITEHAMMER Runs against RedFlag Webmail 4, yields user nobody
  • ENVISIONCOLLISION RCE for phpBB (derivative) Installs a hook on IP.Board to gain RCE
  • EPICHERO RCE for Avaya Media Server
  • ELEGANTEAGLE RCE in cPanel via toffeehammer
  • EXCELBERWICK RCE against xmlrpc.php on Unix platforms (Probably CVE-2005-1921)

Misc

  • calserver spooler RPC based RCE
  • EARLYSHOVEL RCE RHL7 using sendmail
  • ECHOWRECKER/sambal: samba 2.2 and 3.0.2a - 3.0.12-5 RCE (with DWARF symbols), for FreeBSD, OpenBSD 3.1, OpenBSD 3.2 (with a non-executable stack, zomg), and Linux. Likely CVE-2003-0201. There is also a Solaris version
  • ELECTRICSLIDE RCE (heap-overflow) in Squid, with a chinese-looking vector
  • EMBERSNOUT a remote exploit against Red Hat 9.0's httpd-2.0.40-21
  • EMPTYBOWL RCE for MailCenter Gateway (mcgate) - an application that comes with Asia Info Message Center mailserver; buffer overflow allows a string passed to popen() call to be controlled by an attacker; arbitraty cmd execute known to work only for AIMC Version 2.9.5.1
  • ENGAGENAUGHTY/apache-ssl-linux Apache2 mod-ssl RCE (2008), SSLv2
  • ERRGENTLE - RCE binary for Exim Mail Transfer Agent version 3.22-3.35
  • ENTERSEED Postfix RCE, for 2.0.8-2.1.5
  • ERRGENTLE/xp-exim-3-remote-linux Exim remote root, likely CVE-2001-0690, Exim 3.22-3.35
  • EXPOSITTRAG exploit pcnfsd version 2.x
  • extinctspinash: Chili!Soft ASP stuff RCE? and Cobalt RaQ too?
  • EYEMASK - IMAP masquerade
  • KWIKEMART (km binary) RCE for SSH1 padding crc32 thingy (https://packetstormsecurity.com/files/24347/ssh1.crc32.txt.html)
  • EXPOSITTRAG/prout (ab)use of pcnfs RPC program (version 2 only) (1999)
  • SKIMCOUNTRY Steal mobile phone log data
  • SLYHERETIC_CHECKS Check if a target is ready for SLYHERETIC (not included)
  • slugger: various printers RCE, looks like CVE-1999-0078looks
  • statdx Redhat Linux 6.0/6.1/6.2 rpc.statd remote root exploit (IA32)
  • telex Telnetd RCE for RHL ? CVE-1999-0192?
  • toffeehammer RCE for cgiecho part of cgimail, exploits fprintf
  • VS-VIOLET Solaris 2.6 - 2.9, something related to XDMCP

Anti-forensic

  • Auditcleaner cleans up audit.log
  • DIZZYTACHOMETER: Alters RPM database when system file is changed so that RPM (>4.1) verify doesn't complain
  • DUBMOAT Manipulate utmp
  • pcleans: pacctl manipulator/cleaner
  • scrubhands post-op cleanup tool?
  • toast: wtmps editor/manipulator/querier

Control

Iting HP-UX, Linux, SunOS

  • FUNNELOUT: database-based web-backdoor for vbulletin
  • hi UNIX bind shell
  • jackpop redirector/bind shell for SPARC
  • NOPEN Backdoor? A RAT or post-exploitation shell consisting of a client and a server that encrypts data using RC6 source
  • ORLEANSTRIDE
  • SAMPLEMAN / ROUTER TOUCH Clearly hits Cisco via some sort of redirection via a tool on port 2323 (thanks to @cynicalsecurity)
  • SECONDDATE Implant for Linux/FreeBSD/Solaris/JunOS
  • SHENTYSDELIGHT Linux keylogger
  • SIDETRACK implant used for PITCHIMPAIR
  • SIFT Implant for Solaris/Linux/FreeBSD
  • SLYHERETIC SLYHERETIC is a light-weight implant for AIX 5.1:-5.2 Uses Hide-in-Plain-Sight techniques to provide stealth.
  • STRIFEWORLD: Network-monitoring for UNIX, needs to be launched as root. Strifeworld is a program that captures data transmitted as part of TCP connections and stores the data in a memory for analysis. Strifeworld reconstructs the actual data streams and stores each session in a file for later analysis.
  • SUCTIONCHAR: 32 or 64 bit OS, solaris sparc 8,9, Kernel level implant - transparent, sustained, or realtime interception of processes input/output vnode traffic, able to intercept ssh, telnet, rlogin, rsh, password, login, csh, su, …

CnC

  • Seconddate_CnC: CnC for SECONDDATE
  • ELECTRICSIDE likely a big-fat-ass CnC
  • NOCLIENT Seems to be the CnC for NOPEN*
  • DEWDROP
  • PORKSERVER inetd-based server for the PORK implant

Privesc

Linux

  • h: linux kernel privesc, old-day compiled hatorihanzo.c, do-brk() in 2.4.22 CVE-2003-0961
  • gsh: setreuid(0,0);execl("bash","/bin/bash")
  • PTRACE/FORKPTY/km3: linux kernel lpe, kmod+ptrace, CVE-2003-0127, (https://mjt.nysv.org/scratch/ptrace_exploit/km3.c)
  • EXACTCHANGE: NULL-deref based local-root, based on various sockets protocols, compiled in 2004, made public in 2009
  • ghost:statmon/tooltalk pAquarivesc?
  • ELGINGAMBLE: LPE, takes advantage of an input validation error in the kernel (prctl core dump) to create a cron script that spawns root shell. Linux 2.6.13 - 2.6.17.4
  • ESTOPFORBADE local root gds_inet_server for, Cobalt Linux release 6.0, to be used with complexpuzzle
  • ENVOYTOMATO LPE through bluetooth stack(?)
  • ESTOPMOONLIT Linux LPE, using binfmt_aout module
  • EPOXYRESIN Linux LPE
  • SM11X - Linux LPE for RHEL7/7.1, SUSE 7.2 using sendmail 8.11-8.12.beta16

AIX

  • EXCEEDSALON-AIX privesc

Others

  • procsuid: setuid perl (yes, it's a real thing) privesc through unsanitized environnement variables. wtf dude
  • elatedmonkey: cpanel privesc (0day) using /usr/local/cpanel/3rdparty/mailman/. Creates mailman mailing list: mailman config_list
  • estesfox: logwatch privesc, old-day
  • evolvingstrategy: privesc, likely for Kaspersky Anti-virus (/sbin/keepup2date is kaspersky's stuff) (what is ey_vrupdate?)
  • EVOKEPROMPT (eh-privesc) Exploits Open WebMail 's openwebmail-folder.pl script (above v2.10), requires valid session token
  • escrowupgrade cachefsd for solaris 2.6 2.7 sparc
  • ENGLANDBOGY local exploit Xorg X11R7 1.0.1, X11R7 1.0, X11R6 6.9, Includes the following distributions: MandrakeSoft Linux 10.2, Ubuntu 5.0.4, SuSE Linux 10.0, RedHat Fedora Core5, MandrakeSoft Linux 2006.0. requires a setuid Xorg
  • endlessdonut: Apache fastcgi privesc

Interesting stuff

[- default passwords list (courtesy of x0rz)
](https://)

Last changed by 
Guest
0
24245
Published on HackMD